ssh keyscan issue

Discussion about community tools that we make available for z/OS without support
Post Reply
tejas1990
Posts: 4
Joined: Wed Jun 13, 2018 9:24 am

ssh keyscan issue

Post by tejas1990 »

Hi All,
i have built a couple sshd servers, and while doing keyscans to validate the responses im getting good response from one but not the other, any ideas on whats wrong , the configs al look similar at both ends....

failing one

MSU28:/u/msu28: >ssh-keyscan -vvv -t rsa ip.adddress
debug2: fd 3 setting O_NONBLOCK
debug3: __catgets: NLS setup complete (1), using message catalog openssh.cat
FOTS0410 10.13.101.201: Connection closed by remote host
MSU28:/u/msu28: >

Working one

MSU28:/u/msu28: >ssh-keyscan -vvv -t rsa 10.1*******
debug2: fd 3 setting O_NONBLOCK
debug1: match: OpenSSH_5.0 pat OpenSSH*
# 10.13.105.201 SSH-2.0-OpenSSH_5.0
debug1: cipher_init: none from source OpenSSL
debug1: cipher_init: none from source OpenSSL
debug1: Enabling compatibility mode for protocol 2.0
debug3: RNG is ready, skipping seeding
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-g
roup-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour12
8,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rij
ndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour12
8,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rij
ndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-g
roup-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes256-ctr,aes192-ctr,aes128-ctr
debug2: kex_parse_kexinit: aes256-ctr,aes192-ctr,aes128-ctr
debug2: kex_parse_kexinit: hmac-sha1,hmac-ripemd160
debug2: kex_parse_kexinit: hmac-sha1,hmac-ripemd160
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug1: mac_setup_by_id: hmac-sha1 from source OpenSSL
debug2: mac_setup: found hmac-sha1
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: mac_setup_by_id: hmac-sha1 from source OpenSSL
debug2: mac_setup: found hmac-sha1
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 158/320
debug2: bits set: 1022/2048
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
10.13.105.201 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA1WWrY23gkqbJgc9CHreqUuNcLmuWIy


The server is pinging so there is no fw issue ,
tejas1990
Posts: 4
Joined: Wed Jun 13, 2018 9:24 am

Re: ssh keyscan issue

Post by tejas1990 »

also the telnet to the failing system on port 22 says connection closed too, telnet on other ports work good
dovetail
Site Admin
Posts: 2022
Joined: Thu Jul 29, 2004 12:12 pm

Re: ssh keyscan issue

Post by dovetail »

ssh-keyscan needs to connect to the SSHD server and what you are seeing indicates that it can't.

Could be:

- the SSHD server is rejecting the request from this host/network/etc (see sshd_config)
- there is a firewall that is terminating the connection
tejas1990
Posts: 4
Joined: Wed Jun 13, 2018 9:24 am

Re: ssh keyscan issue

Post by tejas1990 »

these systems that i am trying to and from are basically a same box, but differnt partitions
dovetail
Site Admin
Posts: 2022
Joined: Thu Jul 29, 2004 12:12 pm

Re: ssh keyscan issue

Post by dovetail »

What happens when you try to connect with: ssh -vvv to the same host?

You might check the server's sshd log file (in syslogd files). There may be some information there on why the request is rejected.
tejas1990
Posts: 4
Joined: Wed Jun 13, 2018 9:24 am

Re: ssh keyscan issue

Post by tejas1990 »

if i do within the same host i get te hsame issue , reckon its a non fw issue, tried changing teh port to 1022 as well , but no luck yet

MSU28:/u/msu28: >ssh-keyscan -vvv -t rsa -p 1022 1********
debug2: fd 3 setting O_NONBLOCK
debug3: __catgets: NLS setup complete (1), using message catalog openssh.cat
FOTS0410 10.13.101.201: Connection closed by remote host
Post Reply